Another layer of data security regulations has been added to healthcare, this time by the state. The 50th state to pass such a law, the Alabama Data Breach Notification Act of 2018 went into effect on June 1 with the intent to protect and alert Alabama residents to breaches of their personal data stored or used by most any company.
"Don't think this doesn't apply to you just because your healthcare business comes under HIPAA," says Randy Rupp, CISSP, with ICS Medtech. "You could easily bleed over between the two laws."
Unlike the Health Insurance Portability and Accountability Act (HIPAA), the state act pertains to any company or person that acquires or uses sensitive personally identifying information (SPII). Also unlike HIPAA, it not only requires these entities to install security measures to protect that data, but also to assess those measures. "Basically you should have plain, clear information on how you address any risks to that data and how you measure whether it is effective," Rupp says.
Though HIPAA does allude to the need for assessing the effectiveness of safeguards in a written risk assessment, it does not require that those measures be spelled out.
The new state law also specifically states that external breach risks must be identified, unlike HIPAA.
HIPAA only requires internal risks be noted. "It's more vague, interpretative language," Rupp says. "Alabama's law is the same requirements but in more detail than HIPAA."
"It speaks to the same thing," says Curtis Woods with Integrated Solutions. "The intention was already there in HIPAA/HITECH. Alabama just used the wording. It really doesn't change what should be done."
Alabama's law also requires each company to specify one employee as the cyber-security officer. "Every company must now have someone designated in writing as responsible for coordinating all of the data security measures," Woods says.
This kind of specificity has brought approval from IT experts for the new law. "We love it," Rupp says. "Rather than just giving you a mandate, they tell you what to do to meet the mandate."
For instance, Alabama lists the exact pieces of personal data that fall under the auspices of the law, such as an individual's health insurance policy number or an email address with a password that would permit access to an online account.
"The average person can read it and understand it, and it's only 17 pages long," Woods says. "It's also stronger than some other states."
Whereas most states require breaches to be reported in 90 days, Alabama halves that to 45 days. "And if remediation is not occurring in a timely fashion, then the Alabama Attorney General can issue a $5,000 fine per day up to $500,000 per breach," Woods says. Those fines would be in conjunction to whatever the federal government may levy on a provider for the breach.
The fines and the cost of responding to breaches now means every healthcare business also needs cyber-security insurance. "You've got to have it. It's as important to a business as having professional liability insurance," Woods says. "I just upped ours."
Most practices get $50,000 as a rider to their malpractice insurance, says Rupp. "But there's no way this is ever going to be enough to cover you in case of a breach."
"Half a million would be a minimum for anybody," Woods says. "You have all the legal fees, forensics, the audit per HIPAA, filings with authorities, all the mailings to notify those affected, plus to cover your time spent dealing with this. And if you have to pay fines, that half million could get eaten up in a heartbeat."
Cyber-security insurance not only means financial coverage, but can also offer expert guidance when a breach occurs. "Your insurance company should be your first call," Woods says, to ensure their steps and professionals are followed to ensure coverage.
Many cyber insurers have their own lawyers and forensic teams. They may also take care of filing, reporting and notifications, along with satisfying any other states' breach laws that could apply to patients living outside of Alabama. "You can't run your business if you have to focus on all that," Woods says. "There are a lot of steps you have to go through."
The Alabama law also fills a gap left by HIPAA -- the handling of third-party vendors. Last year, 56 percent of breaches were caused by a third-party, a seven percent increase from 2016, according to the Ponemon Institute Data Risk in the Third-Party Ecosystem study.
"In the last three years, the biggest breaches have been by third-party vendors," Rupp says. Hackers burrowed their way into Target through the HVAC vendors, who remotely controlled the temperature. "Don't just think of IT vendors. Think of anybody who touches your environment no matter what they do. You have to know and document how they access anything in your environment and, most importantly, how that vendor will make sure any SPII data is safe and secure."
Breaches, say IT experts, are no longer about embarrassment when precautions are taken. "No place is safe anymore," Woods says, including the cloud and off-site data storage facilities. "But breaches are not an everyday occurrence in Alabama, either." The HHS (HIPAA enforcers) website shows seven breaches in the state over the last 18 months. "These are only the confirmed ones. Most of them are not reported."
But Alabama's new breach law may help bring more to light and raise the vigilance of companies, including in healthcare. "The law is good. It's strong. It does protect," Woods says. "Now let's see if it will get enforced."